From 705b8da05339cdea8e236373221002fb47676d35 Mon Sep 17 00:00:00 2001 From: Ahmed Bouhuolia Date: Wed, 21 Aug 2024 01:04:18 +0200 Subject: [PATCH] fix: protect the one-click demo accounts endpoints --- .../OneClickDemo/OneClickDemoController.ts | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/packages/server/src/api/controllers/OneClickDemo/OneClickDemoController.ts b/packages/server/src/api/controllers/OneClickDemo/OneClickDemoController.ts index 96a41ca51..1a92c18f8 100644 --- a/packages/server/src/api/controllers/OneClickDemo/OneClickDemoController.ts +++ b/packages/server/src/api/controllers/OneClickDemo/OneClickDemoController.ts @@ -4,7 +4,7 @@ import { body } from 'express-validator'; import asyncMiddleware from '@/api/middleware/asyncMiddleware'; import BaseController from '@/api/controllers/BaseController'; import { OneClickDemoApplication } from '@/services/OneClickDemo/OneClickDemoApplication'; - +import config from '@/config'; @Service() export class OneClickDemoController extends BaseController { @Inject() @@ -16,13 +16,29 @@ export class OneClickDemoController extends BaseController { router() { const router = Router(); - router.post('/one_click', asyncMiddleware(this.oneClickDemo.bind(this))); + // Protects the endpoints if the feature is not enabled. + const protectMiddleware = ( + req: Request, + res: Response, + next: NextFunction + ) => { + // Add your protection logic here + if (config.oneClickDemoAccounts) { + next(); + } else { + res.status(403).send({ message: 'Forbidden' }); + } + }; + router.post( + '/one_click', + protectMiddleware, + asyncMiddleware(this.oneClickDemo.bind(this)) + ); router.post( '/one_click_signin', - [ - body('demo_id').exists(), - ], + [body('demo_id').exists()], this.validationResult, + protectMiddleware, asyncMiddleware(this.oneClickSignIn.bind(this)) ); return router;